New cyber rules give jitters to wallet and payment companies

According to PPIs, the ministry now also expects them to report cyber attacks to CERT-In (Indian Computer Emergency Response Team)Pratik Bhakta | ET Bureau | March 11, 2017, 08:12 IST

The latest guidelines issued by the Information Technology Ministry on cyber security of prepaid payment instruments, or PPIs, has caused a concern among wallet and payment players regarding the possibility of dual control from the Reserve Bank of India as well as the central government.

PPIs, regulated by the RBI under the powers bestowed upon it by the government through the Payments and Settlement Systems Act (2007), have said there is an urgent need for better coordination between the two entities in order to prevent overlap of jurisdictions.

The ministry has asked wallet companies to adopt multiple-factor authentication for payments, which, the industry sources say, can kill their business, as the new layer will interfere with the instant payment mechanism.

“Wallets are mostly for small-ticket transactions. Introducing various levels for authentication can cause payments to fail as the internet connection is still poor in rural areas and it can cause friction in smooth payments experience that we offer,” said Sandeep Ghule, cofounder of Transerv, a Mumbai-based PPI licence holder.

According to PPIs, the ministry now also expects them to report cyber attacks to CERT-In (Indian Computer Emergency Response Team).

“We have guidelines around cyber security protocols laid out by the RBI and separate reporting mechanisms. We are not clear about the thought process behind the separate list of regulations and separate reporting mechanisms,” Ghule pointed out.

With wallets having only 10% share of the entire digital payments volume in the country, regulations should cover the entire payments spectrum from banks to payment gateways, Ghule added.

Assuring that wallet companies already adhere to strict security guidelines, Bipin Preet Singh, co-founder of mobile wallet company Mobikwik, said: “We have a security system which is PCI DSS and ISO 27001 certified, and our grievance redressal tickets are also closed within 30 minutes of being raised.”